Abstract: A client application sends DNS requests to a threat protection service when a mobile device operating the client application is operating off-network. The application is configured to detect network conditions and automatically configure an appropriate system-wide DNS resolution setting. Preferably, DNS requests from the client identify the customer and the device to threat protection (TP) service resolvers without introducing a publicly-visible customer or device identifier to the DNS requests or responses. The TP system then applies the correct policy to DNS requests coming from off-network clients. In particular, the resolver recognizes the customer for requests coming for off net clients and apply the customer's policy to such request. The resolver is configured to log the customer and the device associated with requests from the TP off-net client. Request logs from the TP resolver are provided to a cloud security intelligence platform for threat intelligence analytics and customer visible reporting.

Abstract: The techniques herein provide for enhanced overlay network-based transport of traffic, such as IPsec traffic, e.g., to and from customer branch office locations, facilitated through the use of the Internet-based overlay routing infrastructure. This disclosure describes a method of providing integrity protection for traffic on the overlay network.

Abstract: A method to generate a trusted certificate on an endpoint appliance located in an untrusted network, wherein client devices are configured to trust a first Certificate Authority (CA) that is administered by the untrusted network. In this approach, an overlay network is configured between the endpoint appliance and an origin server associated with the endpoint appliance. The overlay comprises an edge machine located proximate the endpoint appliance, and an associated key management service. A second CA is configured in association with the key management service to receive a second certificate signed by the first CA. A third CA is configured in association with the edge machine to receive a third certificate signed by the second CA. In response to a request from the appliance, a server certificate signed by the third CA is dynamically generated and provided to the appliance.

Abstract: A method of multicasting real-time video is described. The method begins by establishing a multicast network of machines capable of ingress, forwarding and broadcasting traffic, together with a mapping infrastructure. The multicast network preferably comprises a portion of an overlay network, such as a content delivery network (CDN). A video stream is published to the multicast network by (a) using the mapping infrastructure to find an ingress node in the multicast network, and then receiving the video stream from a publisher at the ingress node. One or more subscribers then subscribe to the video stream. In particular, and for subscriber, this subscription is carried out by (a) using the mapping infrastructure to find an egress node for the requesting client, and then delivering the video stream to the subscriber from the egress node. Preferably, the publisher and each subscriber use WebRTC to publish or consume the video stream, and video stream is consumed in a videoconference.

Abstract: A client application manages a resolver configuration and sends DNS requests to a threat protection service when a mobile device operating the client application is operating off-network. The client application detects network conditions and automatically configures an appropriate system-wide DNS resolution setting. DNS requests from the client identify the customer and the device to threat protection (TP) service resolvers without introducing a publicly-visible customer or device identifier. The TP system applies the correct policy to DNS requests coming from off-network clients. In particular, the TP resolver recognizes the customer for requests coming from such clients and applies the customer's policy. The resolver is also configured to log the customer and the device associated with requests from the TP off-net client. Request logs from the TP resolver are provided to a cloud security intelligence platform for threat intelligence analytics and customer visible reporting.

Abstract: A method to generate a trusted certificate on an endpoint appliance located in an untrusted network, wherein client devices are configured to trust a first Certificate Authority (CA) that is administered by the untrusted network. In this approach, an overlay network is configured between the endpoint appliance and an origin server associated with the endpoint appliance. The overlay comprises an edge machine located proximate the endpoint appliance, and an associated key management service. A second CA is configured in association with the key management service to receive a second certificate signed by the first CA. A third CA is configured in association with the edge machine to receive a third certificate signed by the second CA. In response to a request from the appliance, a server certificate signed by the third CA is dynamically generated and provided to the appliance.

Abstract: A mechanism to facilitate a private network (VPN)-as-a-service, preferably within the context of an overlay IP routing mechanism implemented within an overlay network. A network-as-a-service customer operates endpoints that are desired to be connected to one another securely and privately using the overlay IP (OIP) routing mechanism. The overlay provides delivery of packets end-to-end between overlay network appliances positioned at the endpoints. During such delivery, the appliances are configured such that the data portion of each packet has a distinct encryption context from the encryption context of the TCP/IP portion of the packet. By establishing and maintaining these distinct encryption contexts, the overlay network can decrypt and access the TCP/IP flow. This enables the overlay network provider to apply one or more TCP optimizations. At the same time, the separate encryption contexts ensure the data portion of each packet is never available in the clear at any point during transport.

Abstract: A method to generate a trusted certificate on an endpoint appliance located in an untrusted network, wherein client devices are configured to trust a first Certificate Authority (CA) that is administered by the untrusted network. In this approach, an overlay network is configured between the endpoint appliance and an origin server associated with the endpoint appliance. The overlay comprises an edge machine located proximate the endpoint appliance, and an associated key management service. A second CA is configured in association with the key management service to receive a second certificate signed by the first CA. A third CA is configured in association with the edge machine to receive a third certificate signed by the second CA. In response to a request from the appliance, a server certificate signed by the third CA is dynamically generated and provided to the appliance.

Abstract: A mechanism to facilitate a private network (VPN)-as-a-service, preferably within the context of an overlay IP routing mechanism implemented within an overlay network. A network-as-a-service customer operates endpoints that are desired to be connected to one another securely and privately using the overlay IP (OIP) routing mechanism. The overlay provides delivery of packets end-to-end between overlay network appliances positioned at the endpoints. During such delivery, the appliances are configured such that the data portion of each packet has a distinct encryption context from the encryption context of the TCP/IP portion of the packet. By establishing and maintaining these distinct encryption contexts, the overlay network can decrypt and access the TCP/IP flow. This enables the overlay network provider to apply one or more TCP optimizations. At the same time, the separate encryption contexts ensure the data portion of each packet is never available in the clear at any point during transport.

Abstract: The techniques herein provide for enhanced overlay network-based transport of traffic, such as IPsec traffic, e.g., to and from customer branch office locations, facilitated through the use of the Internet-based overlay routing infrastructure. This disclosure describes a method of providing integrity protection for traffic on the overlay network.

Abstract: The techniques herein provide for enhanced overlay network-based transport of traffic, such as IPsec traffic, e.g., to and from customer branch office locations, facilitated through the use of the Internet-based overlay routing infrastructure. This disclosure describes a method of providing integrity protection for traffic on the overlay network.

Abstract: A mechanism to facilitate a private network (VPN)-as-a-service, preferably within the context of an overlay IP routing mechanism implemented within an overlay network. The overlay provides delivery of packets end-to-end between overlay network appliances positioned at the endpoints. During such delivery, the appliances are configured such that the data portion of each packet has a distinct encryption context from the encryption context of the TCP/IP portion of the packet. By establishing and maintaining these distinct encryption contexts, the overlay network can decrypt and access the TCP/IP flow. This enables the overlay network provider to apply one or more TCP optimizations. At the same time, the separate encryption contexts ensure the data portion of each packet is never available in the clear at any point during transport. According to another feature, data flows within the overlay directed to a particular edge region may be load-balanced while still preserving IPsec replay protection.

Abstract: This disclosure relates to enhanced overlay network-based transport of traffic to and from customer branch office locations, facilitated through the use of the Internet-based overlay routing. A method of selecting an ingress edge region of the overlay network begins by mapping a service hostname to an IKEv2 destination of an outer IPsec tunnel associated with a first overlay network edge. An IKEv2 session is established from the first overlay network edge to the customer router. Upon tunnel establishment, a secondary lookup is performed to determine whether the first overlay network edge is an appropriate ingress region. Based on a response to the secondary lookup, a IKEv2 redirect is issued to a second overlay network edge. A new tunnel is then established from the second overlay network edge to the customer router. Thereafter, an additional lookup may also be performed to determine whether the second overlay network edge remains an appropriate ingress region.

Abstract: Techniques for enhanced overlay network-based transport of traffic, such as IPsec traffic, e.g., to and from customer branch office locations, are facilitated through the use of the Internet-based overlay routing infrastructure. This disclosure describes managing and enforcing quality-of-service (QoS) in an Internet-based overlay network shared by a set of content provider customer entities. For each entity having a customer branch, the customer branch is coupled to the Internet-based overlay routing network. A quality-of-service (QoS) policy is configured for the customer. Utilization of the Internet-based overlay network against the configured QoS policy is then monitored. The QoS is then enforced for the customer and at least one other customer, based in part on the QoS policies. Capacity is enforced for a customer entity according to the QoS policy at one of: a global level, a geographical region level, and at the customer branch level.

Abstract: A mechanism to facilitate a private network (VPN)-as-a-service, preferably within the context of an overlay IP routing mechanism implemented within an overlay network. The overlay provides delivery of packets end-to-end between overlay network appliances positioned at the endpoints. During such delivery, the appliances are configured such that the data portion of each packet has a distinct encryption context from the encryption context of the TCP/IP portion of the packet. By establishing and maintaining these distinct encryption contexts, the overlay network can decrypt and access the TCP/IP flow. This enables the overlay network provider to apply one or more TCP optimizations. At the same time, the separate encryption contexts ensure the data portion of each packet is never available in the clear at any point during transport. According to another feature, data flows within the overlay directed to a particular edge region may be load-balanced while still preserving IPsec replay protection.

Abstract: A method of multicasting real-time video is described. The method begins by establishing a multicast network of machines capable of ingress, forwarding and broadcasting traffic, together with a mapping infrastructure. The multicast network preferably comprises a portion of an overlay network, such as a content delivery network (CDN). A video stream is published to the multicast network by (a) using the mapping infrastructure to find an ingress node in the multicast network, and then receiving the video stream from a publisher at the ingress node. One or more subscribers then subscribe to the video stream. In particular, and for subscriber, this subscription is carried out by (a) using the mapping infrastructure to find an egress node for the requesting client, and then delivering the video stream to the subscriber from the egress node. Preferably, the publisher and each subscriber use WebRTC to publish or consume the video stream, and video stream is consumed in a videoconference.

Abstract: This disclosure relates to enhanced overlay network-based transport of traffic to and from customer branch office locations, facilitated through the use of the Internet-based overlay routing. A method of selecting an ingress edge region of the overlay network begins by mapping a service hostname to an IKEv2 destination of an outer IPsec tunnel associated with a first overlay network edge. An IKEv2 session is established from the first overlay network edge to the customer router. Upon tunnel establishment, a secondary lookup is performed to determine whether the first overlay network edge is an appropriate ingress region. Based on a response to the secondary lookup, a IKEv2 redirect is issued to a second overlay network edge. A new tunnel is then established from the second overlay network edge to the customer router. Thereafter, an additional lookup may also be performed to determine whether the second overlay network edge remains an appropriate ingress region.

Abstract: A method of multicasting real-time video is described. The method begins by establishing a multicast network of machines capable of ingress, forwarding and broadcasting traffic, together with a mapping infrastructure. The multicast network preferably comprises a portion of an overlay network, such as a content delivery network (CDN). A video stream is published to the multicast network by (a) using the mapping infrastructure to find an ingress node in the multicast network, and then receiving the video stream from a publisher at the ingress node. One or more subscribers then subscribe to the video stream. In particular, and for subscriber, this subscription is carried out by (a) using the mapping infrastructure to find an egress node for the requesting client, and then delivering the video stream to the subscriber from the egress node. Preferably, the publisher and each subscriber use WebRTC to publish or consume the video stream, and video stream is consumed in a videoconference.

Abstract: Techniques for enhanced overlay network-based transport of traffic, such as IPsec traffic, e.g., to and from customer branch office locations, are facilitated through the use of the Internet-based overlay routing infrastructure. This disclosure describes managing and enforcing quality-of-service (QoS) in an Internet-based overlay network shared by a set of content provider customer entities. For each entity having a customer branch, the customer branch is coupled to the Internet-based overlay routing network. A quality-of-service (QoS) policy is configured for the customer. Utilization of the Internet-based overlay network against the configured QoS policy is then monitored. The QoS is then enforced for the customer and at least one other customer, based in part on the QoS policies. Capacity is enforced for a customer entity according to the QoS policy at one of: a global level, a geographical region level, and at the customer branch level.

Abstract: A method of multicasting real-time video is described. The method begins by establishing a multicast network of machines capable of ingress, forwarding and broadcasting traffic, together with a mapping infrastructure. The multicast network preferably comprises a portion of an overlay network, such as a content delivery network (CDN). A video stream is published to the multicast network by (a) using the mapping infrastructure to find an ingress node in the multicast network, and then receiving the video stream from a publisher at the ingress node. One or more subscribers then subscribe to the video stream. In particular, and for subscriber, this subscription is carried out by (a) using the mapping infrastructure to find an egress node for the requesting client, and then delivering the video stream to the subscriber from the egress node. Preferably, the publisher and each subscriber use WebRTC to publish or consume the video stream, and video stream is consumed in a videoconference.